It's hard to believe that they weren't aware of the issue.It's even more incredible that the set of credentials is so ludicrous!

...and somehow, claiming a restricted set of IP blocks the access could come from, as a mitigation?Yeah, a minor mitigation. Not like I want ANYONE having carte-blanche access to my firewall! [Sometimes, that *especially* includes the vendor!]

IMO, getting caught doing this, is an instant death-penalty. I will never, *ever* consider buying equipment from a vendor who has done this.

If I was a 'cuda customer I'd want a lot more information on who put this 'feature' in and when.... But luckily I don't use IT gear sold on the Howard Stern channel between adds for ExTenz penis enlargement pills.

I noted they aren't identifying the block owners. I assume they are state actors and this was all very purposeful. If I had any of their gear I'd be demanding all the blocks and then null routing them (before it even hit the firewall)...

As someone who has found numerous instances of these kinds of backdoors and just not bothered publishing them because they are obvious to anyone with basic skills and access to the device or software, I have to ask, WTF did you expect?

Does anyone seriously believe that programmers and vendors, let alone key suppliers to strategic institutions around the world, would supply software or hardware that they did not have a way to gain administrative access to for "support" purposes?

Does anyone really believe that if they outsource your development, the developers will not leave a "test harness" with a "debugging interface" in the compiled code? Really?

The story here is not that Barracuda has a backdoor, it's that IT people are so naive that they are shocked by it. Someone will sell you hardware and software, but they will never sell you control. If you want control, that's what you pay security consultants for.

As someone who has found numerous instances of these kinds of backdoors and just not bothered publishing them because they are obvious to anyone with basic skills and access to the device or software, I have to ask, WTF did you expect?

Does anyone seriously believe that programmers and vendors, let alone key suppliers to strategic institutions around the world, would supply software or hardware that they did not have a way to gain administrative access to for "support" purposes?

Does anyone really believe that if they outsource your development, the developers will not leave a "test harness" with a "debugging interface" in the compiled code? Really?

The story here is not that Barracuda has a backdoor, it's that IT people are so naive that they are shocked by it. Someone will sell you hardware and software, but they will never sell you control. If you want control, that's what you pay security consultants for.

I'm shocked, Shocked!...

The firewalls we put in come with remote admin and remote support turned off by default, and you can turn it on if you wish.

Think of it as opting-in vs opting-out. When it comes to letting anyone else into my firewall, I much prefer the opt-in method.

As someone who has found numerous instances of these kinds of backdoors and just not bothered publishing them because they are obvious to anyone with basic skills and access to the device or software, I have to ask, WTF did you expect?

Does anyone seriously believe that programmers and vendors, let alone key suppliers to strategic institutions around the world, would supply software or hardware that they did not have a way to gain administrative access to for "support" purposes?

Does anyone really believe that if they outsource your development, the developers will not leave a "test harness" with a "debugging interface" in the compiled code? Really?

The story here is not that Barracuda has a backdoor, it's that IT people are so naive that they are shocked by it. Someone will sell you hardware and software, but they will never sell you control. If you want control, that's what you pay security consultants for.

I'm shocked, Shocked!...

Are you making an argument for open source that you can inspect and compile yourself?

I noted they aren't identifying the block owners. I assume they are state actors and this was all very purposeful. If I had any of their gear I'd be demanding all the blocks and then null routing them (before it even hit the firewall)...

The blocks are:205.158.110.0/24216.129.105.0/24(from one of the linked articles)

article wrote:

These ranges include some servers run by Barracuda Networks eg.spam04.barracuda.com (216.129.105.22)forum.barracudanetworks.com (216.129.105.38)barracudacentral.org (216.129.105.40)repsrv.barracuda.com (216.129.105.42)mirror01.barracudacentral.com (216.129.105.94)...

As someone who has found numerous instances of these kinds of backdoors and just not bothered publishing them because they are obvious to anyone with basic skills and access to the device or software, I have to ask, WTF did you expect?

Does anyone seriously believe that programmers and vendors, let alone key suppliers to strategic institutions around the world, would supply software or hardware that they did not have a way to gain administrative access to for "support" purposes?

Does anyone really believe that if they outsource your development, the developers will not leave a "test harness" with a "debugging interface" in the compiled code? Really?

The story here is not that Barracuda has a backdoor, it's that IT people are so naive that they are shocked by it. Someone will sell you hardware and software, but they will never sell you control. If you want control, that's what you pay security consultants for.

It's hard to believe that they weren't aware of the issue.It's even more incredible that the set of credentials is so ludicrous!

...and somehow, claiming a restricted set of IP blocks the access could come from, as a mitigation?Yeah, a minor mitigation. Not like I want ANYONE having carte-blanche access to my firewall! [Sometimes, that *especially* includes the vendor!]

IMO, getting caught doing this, is an instant death-penalty. I will never, *ever* consider buying equipment from a vendor who has done this.

Words hardly suffice.

I don't hate to say this... Barracuda needs to be sued into oblivion, and some folks at Barracuda need to go to prison. Anyone who knew of this backdoor, anyone who authorized it, and (if they knew about it and sold it to government buyers) anyone who acted as a salesman. Because the words of the day are ESPIONAGE and SABOTAGE.

What am I missing? If the account is non-privileged, what's the real harm?

The harm has multiple measures. Beachhead has already been mentioned above, but more importantly it shows either a serious level of incompetence in source code management, security audits and QA or the spectre of intentionally providing means of covert access to their product for various reasons.

Either way, if I had this product on my network, it would already be turned off and the replacement from another vendor being overnighted.

It is appalling just how bad small business firewalls are. I've had experience with WG, SW, and ...something else that escapes me at the moment. They were all crap compared to Cisco. I have no idea why people are buying from these vendors when Cisco has an ASA at every price point and for every type of shop. The 5505 starts at only $300 FFS.

The story here is not that Barracuda has a backdoor, it's that IT people are so naive that they are shocked by it. Someone will sell you hardware and software, but they will never sell you control. If you want control, that's what you pay security consultants for.

You obviously have no clue about the subject.

My company is a vendor for banking institutions, and I know that some of them use Barracuda hardware for VPN access. Someone is most likely sweating and working overtime now because of this scandal.

When you purchase a security product (which is not cheap by the way), it should go without saying that full control should be in your hands, and that all inbound access and all remote admininstration features are disabled by default, not to mention how remote administration should not work at all even if enabled without a proper password being set. Hell, even $60 TP-Link home routers do not allow remote administration by default.

@Dilbert:

Not everyone can afford Cisco equipment, not to mention that it requires a lot of serious training to learn how to use it properly while in many companies IT is understaffed and sometimes done by people from other departments (such as software engineering) if there is no dedicated IT personnel. Moreover, Cisco IOS has its own bugs and vulnerabilities, and without active support subscription (which adds to your expenses) you cannot have access to firmware updates.

Finally, Cisco is usually overkill if what you need is only multiple LAN-to-LAN VPN, not to mention that their latest and fully supported hardware accelerated routers offering such features (19xx, 29xx and 39xx series) cost an arm and leg ($3500+).

Lets not forget that the choice of hardware and software is not the main issue here -- much bigger and more serious issue is how nobody using Barracuda products didn't catch that open port during security audit.

It is appalling just how bad small business firewalls are. I've had experience with WG, SW, and ...something else that escapes me at the moment. They were all crap compared to Cisco. I have no idea why people are buying from these vendors when Cisco has an ASA at every price point and for every type of shop. The 5505 starts at only $300 FFS.

Because by the time you pay for everything else to go with the ASA to make it as capable as some of the other firewalls you've spent a small fortune.

I noted they aren't identifying the block owners. I assume they are state actors and this was all very purposeful. If I had any of their gear I'd be demanding all the blocks and then null routing them (before it even hit the firewall)...

No, that's tinfoil hat material. You can look it up yourself, but BN was lazy and didn't bother restricting the subnets properly in the firewall rules. The first block is XO communications, and the first /25 of that belongs to... Barracuda.

The second block is a colocation provider. Obviously a /24 was too broad.

WTF with the Reynolds wrap in this thread? I'm not a particular fan of the company or anything, but all these leaps to "state-sponsored" and "just WHO is this backdoor for" seem a little Alex Jones-crazy.

How stupid is it to not audit your firewall's default firewall rules? Pretty stupid. Or pretty lazy.

Lets not forget that the choice of hardware and software is not the main issue here -- much bigger and more serious issue is how nobody using Barracuda products didn't catch that open port during security audit.

Good point, except I'm betting that since the connection is apparently disallowed unless coming from an IP in those specific blocks, most security audits wouldn't detect it. Wouldn't a scanner need to spoof all IP addresses to have found this?

This is, obviously, preppy bad. But what would enrage me is if you run the equivalent of, "show running config" this dosen't show up (I'm assuming, or else it wouldn't be called a back door". That's outrageous.

This is, obviously, preppy bad. But what would enrage me is if you run the equivalent of, "show running config" this dosen't show up (I'm assuming, or else it wouldn't be called a back door". That's outrageous.

While obvious built-in backdoors are the worst type of security faux pas, isn't this a non-story even for most affected devices?

We have the Spam and Link Balancer products, but we aren't retarded and don't have those devices pants down exposed to the public. They both sit behind a Cisco ASA that has all port 22 traffic blocked from not only the outside, but the inside as well. End of story as per the SEC Consultants advisory. Neither product needs that port to be open to function properly as documented in the admin guide and if you're leaving ports open 100% of the time because you "might" need a support tunnel one day, you're doing it wrong.

I freaked out when I saw this headline in Google Reader, but luckily we have other measures preventing their backdoor policies from affecting us.

As someone who has found numerous instances of these kinds of backdoors and just not bothered publishing them because they are obvious to anyone with basic skills and access to the device or software, I have to ask, WTF did you expect?

Does anyone seriously believe that programmers and vendors, let alone key suppliers to strategic institutions around the world, would supply software or hardware that they did not have a way to gain administrative access to for "support" purposes?

Does anyone really believe that if they outsource your development, the developers will not leave a "test harness" with a "debugging interface" in the compiled code? Really?

The story here is not that Barracuda has a backdoor, it's that IT people are so naive that they are shocked by it. Someone will sell you hardware and software, but they will never sell you control. If you want control, that's what you pay security consultants for.

I'm shocked, Shocked!...

The firewalls we put in come with remote admin and remote support turned off by default, and you can turn it on if you wish.

Think of it as opting-in vs opting-out. When it comes to letting anyone else into my firewall, I much prefer the opt-in method.

Remote admin and remote support is one thing, the backdoor is a seperate way a vendor can access and hard-reset units that are sent back for service or refurbished for which the password to re-enable the device is not available, or to override settings when some IT person "steals" the codes locking companies out of their own working networks. It's a failsafe when other methods to support the box can't be done. It;s also a way to hot-load code or make manufacturing level changes to units already built before thipping without having to replace the firmware or go through a setup process. These interfaces are supposed to be limited to hard-wired connection ports (like serial connections) and not exposed to the general network where anyone without physical access could get to them. The details on this breach are not fully confirmed, and for all we know this backdoor is in fact only addressible over serial, in which case, it;s basically a non-issue.

While obvious built-in backdoors are the worst type of security faux pas, isn't this a non-story even for most affected devices?

We have the Spam and Link Balancer products, but we aren't retarded and don't have those devices pants down exposed to the public. They both sit behind a Cisco ASA that has all port 22 traffic blocked from not only the outside, but the inside as well. End of story as per the SEC Consultants advisory. Neither product needs that port to be open to function properly as documented in the admin guide and if you're leaving ports open 100% of the time because you "might" need a support tunnel one day, you're doing it wrong.

I freaked out when I saw this headline in Google Reader, but luckily we have other measures preventing their backdoor policies from affecting us.

Agreed. Management ports and SSH access should generally be limited to a maintenance network anyway, at the very least a VLAN if not an entirely seperate switch infrastructure and physical maintenance port on the device. In many secure enclaves, this is REQUIRED! (read your STIGs). If even end users, let alone the general public, can get to port 22 on any of your servers or management systems, YOU DID IT WRONG!